Azure Key Vault - Non-Exportable Key Certificate

Question

Azure Key Vault - Non-Exportable Key Certificate

Yang, Steven 151

I don't quite understand the use case for 'non-exportable key certificate'. does it just mean the app need to reach back to akv to obtain the private key at the time of decryption? can someone shed some lights?

Best,

Steven

Accepted answer

1 additional answer

Your answer

Answer 1

@Yang, Steven

Thank you for posting your query on Microsoft Q&A. From above comment I could understand that you are looking for reasons why do we need Non-Exportable keys.

Please do correct me if this is not the case by responding in the comments section:

Private keys in Azure Key Vault can be marked as non-exportable when you want to provide an additional layer of security for sensitive data and applications. You may want to mark private keys as non-exportable to protect sensitive data, secure applications, meet compliance requirements, and prevent data breaches.

Following are some used cases of Private key being marked as non-exportable:

If you need to meet compliance requirements, such as HIPAA, PCI DSS, and GDPR, you may want to mark the private keys as non-exportable to ensure that sensitive data is protected in accordance with regulatory requirements.
By marking the private keys as non-exportable, you can prevent unauthorized users from accessing or using sensitive data, even if they gain access to the Azure Key Vault.
When you want different relying party/application to call an Azure AD registered API (as public key would contain the secret) Key Vault access should be granted to the application with non-exportable keys.

We noticed your feedback that the answer on this thread was not helpful.

Thank you for taking time to share your feedback. Kindly let us know what we could have done better to improve the answer and make your experience better.

I tried to clarify the response in the latest post and update the solution, I request that you would kindly re-take the survey for your experience on this thread.

However, if your issue remains unresolved, please let us know how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!

Thanks,

Akshay Kaushik

Yang, Steven 151 Reputation points

2023-09-05T12:51:53.7833333+00:00

Thanks Akshay-MSFT. The examples were helpful. If i use 'non-exportable' option for the cert, how would I my application retrieve the private key.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-05T13:28:29.47+00:00

@Yang, Steven ,

In this scenario you would not want the apps to have private key, so even though apps have access to key vault they would be able to use just public key (which contain a secret or for encryption), but not to private keys. So private key always stay within Azure.

Thanks,

Akshay Kaushik
Yang, Steven 151 Reputation points

2023-09-05T18:09:26.3366667+00:00

got it. thank you!
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-09-05T18:24:30.4966667+00:00

@https://learn.microsoft.com/en-us/users/yangsteven-0431/ Thanks for your response. Considering your queries have been answered, I request you to accept the answer (Yes, helpful) as this would help us and other community members with similar issues. Thanks Akshay Kaushik

Answer 2

Hi Yang, Steven:

Let me know if this helps:

When a Key Vault certificate is created, it can be retrieved from the addressable secret with the private key in either PFX or PEM format. The policy that's used to create the certificate must indicate that the key is exportable. If the policy indicates that the key is non-exportable, then the private key isn't a part of the value when it's retrieved as a secret. The addressable key becomes more relevant with non-exportable Key Vault certificates. The addressable Key Vault key's operations are mapped from the keyusage field of the Key Vault certificate policy that's used to create the Key Vault certificate.

https://learn.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#exportable-or-non-exportable-key

Exportable and non-exportable keys

After a Key Vault certificate is created, you can retrieve it from the addressable secret with the private key. Retrieve the certificate in PFX or PEM format.

Exportable: The policy used to create the certificate indicates the key is exportable.

Non-exportable: The policy used to create the certificate indicates the key is non-exportable. In this case, the private key isn't part of the value when it's retrieved as a secret. Supported keytypes: RSA, RSA-HSM, EC, EC-HSM, oct (listed here) Exportable is only allowed with RSA, EC. HSM keys would be non-exportable.

Please 'Upvote' and 'Accept' as answer if the reply was helpful. This will be benefitting other community members who face the same issue.

Yang, Steven 151 Reputation points

2023-09-02T16:41:16.72+00:00

Hi @Vinodh247 - thanks for the quick response. I'm more interested to learn the use cases. Under what circumstances, I should be using non-exportable key cert.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Share via

Azure Key Vault - Non-Exportable Key Certificate

1 additional answer

Your answer